Security and privacy represent important issues in modern communication when network-enabled devices such as mobile phones, personal computers, routers, set-top boxes and the like communicate over fixed or wireless networks. There are a number of scenarios where a network-enabled device is to be provisioned with sensitive material from a remote provisioning server in order to enhance security and privacy. Illustrative examples of such a provisioning server includes a Certificate Authority (CA), a conditional access (CAS) or Digital Rights Management (DRM) registration server and an Identity/licensing server.
A Certificate Authority (CA) issues digital certificates which can be used as an attestation by the CA of the authentication of certificate holder. The CA sends the certificate, along with a public/private key pair, to the network-enabled device for use in other security procedures. The CA may also be a renewal system that allows the device to obtain a new identity based on presentation of an old identity.
A conditional access (CAS) or Digital Rights Management (DRM) registration server, which registers a device so that it can receive valuable content (e.g., video, audio, documents, etc), sends sensitive key material to the device to be used in conjunction with CAS or DRM protocols and procedures to access the valuable content. A CAS or DRM registration server can also be viewed as a renewal system, because it needs to perform a strong authentication of the device identity and its credentials before registering the device.
An identity/licensing server, operating in conjunction with an application service (e.g. a picture/file sharing service, a cloud service, a home security system, a health-record system, etc), sends the network-enabled device a set of credentials for subsequent use to access one or more services provided by the application. The identity server needs to authenticate the device before registering for service and providing it with access credentials/licenses.